Introducing Report-only mode for Conditional Access

This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.

Howdy folks!


We had such an awesome time at Ignite last week! It was great to meet with so many customers and we learned so much. And we were blown away by the level of excitement customers expressed for the new capabilities we announced.


I know many of you weren’t able to attend in person. Over the next two weeks we’re going to post more detailed blogs on the new capabilities we announced—so you can join in that excitement with us!


To kick things off, I’d like to start with one of our most highly requested features, the public preview of Report-only mode! Customers tell us they love Conditional Access because they can apply the right controls in the right circumstances. But the big challenge with deploying Conditional Access is figuring out how many users will be impacted by a policy.


Report-only mode is a new capability that allows admins to evaluate Conditional Access policies without enforcing the grant or session controls. During sign-in, policies in Report-only mode are evaluated but not enforced, and the sign-in logs record the expected result. Additionally, customers with an Azure Monitor subscription can monitor the impact of their Conditional Access policies using the new Conditional Access Insights workbook.


I’m excited to make it easier for IT admins to understand the impact of Conditional Access before potentially impacting users in their environments. Here’s what one of our early adopters had to say:


“We have used the early release of Report-only mode for Conditional Access for several months. It has been invaluable to enable an improved application and system security posture with greater agility and confidence. This feature allows us to implement security controls much quicker and reduce the likelihood rolling back a policy. I highly recommend customers evaluate utilizing this capability.”Robert Bowen Identity and Access Management Practice Leader for NCR Corporation


Daniel Wood, program manager for the feature, wrote a guest blog post to explain the details. As always, we’re curious to hear your feedback. Shoot an email to with your thoughts or leave a comment below—we look forward to hearing from you!

Best regards,


Alex Simons (@Alex_A_Simons )

Corporate VP of Program Management

Microsoft Identity Division 



Hi there!


I’m excited to announce the release of Report-only mode in public preview. Here is an overview of the feature. For detailed steps, see Configure a Conditional Access policy in report-only mode (Preview).


Enable a Conditional Access policy in Report-only mode


Report-only mode is enabled under the Conditional Access blade. Simply click + New Policy, or edit an existing policy, and then toggle to the new Report-only state!





Use the Conditional Access Insights Workbook


To monitor the overall impact of Conditional Access policies in your tenant, we published a powerful Conditional Access Insights workbook through Azure Monitor. Access the workbook by clicking Workbooks and then Conditional Access Insights.


To integrate Azure Monitor with Azure AD simply:


  1. Sign up for an Azure Monitor subscription and create a workspace (tutorial).
  2. Export the Sign-in logs from Azure AD to Azure Monitor (tutorial).

With the Conditional Access Insights workbook, you can view how many users and sign-ins are impacted by a set of Conditional Access policies. Set the parameters and the workbook will load automatically. Want to isolate the impact of just a few policies? Just select the ones you want in the Conditional Access policy drop-down.



To dig into your sign-in data further, you can edit the workbook to refine queries just for your organization. At the top of the workbook, click Edit to expose the underlying queries. Saving the workbook will create a new copy.


View Report-only result in Azure AD Sign-in logs


Once the policy is created in Report-only mode, it is evaluated during sign-in. From the Sign-ins page, click a sign-in to see which Conditional Access policies are applied. You can find Report-only policies in the new Report-only tab.





We hope that this feature helps you make it easier to deploy and monitor Conditional Access. And if you prefer managing Conditional Access through the new API, Report-only functionality will be rolling out shortly as well.


We look forward to getting your feedback on the feature as we prepare for general availability. You can let us know what you think at or in the comments below.

Thanks for reading!


Daniel Wood (@Daniel_E_Wood)



Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.